If we have a router running zone based firewall and doing NAT but the VPN terminates on a ASA on teh inside zone do we need to consider the incoming client VPNs as being destined for the "self" zone if we are using NAT overloading through the outside interface of the router ?
The rules are below:
* Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.
* The self zone controls traffic sent to the router itself or originated by the router.
* Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)
* To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.
* To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.